Presentation is loading. Please wait.

Presentation is loading. Please wait.

Segment Routing.

Published byΝικολίτα Χρηστόπουλος Modified over 6 years ago

Similar presentations

Presentation on theme: "Segment Routing."— Presentation transcript:

1 Segment Routing

2 Source routing IP routing is based on destination addresses (and perhaps DSCP) but sometimes we need control over the precise path a packet travels to its destination For example in DCs we need to ensure packets traverse nodes (in order) for security we may need to avoid a particular router policy-based routing enables overriding default routing we may need paths with special characteristics (e.g., low delay) IP protocols provide mechanisms called Source Routing IPv4 source routing options (Loose SR, Strict SR) IPv6 type 0 routing header extension (Rh0) SR inserts sequences of router addresses into packet headers

3 Source routing example
shortest path SR path A B C D E Loose SR – A C D Strict SR – A B C D E

4 Source routing is evil Yet source routing is problematic
There are several reasons why source routing is evil complicated processing for core routers DoS attack – attacker forces packets to traverse selected routers, thus overloading them amplified DoS attack – attacker forces packet to oscillate between 2 selected routers infiltration attack – attacker bypasses ACLs by forwarding through a permitted waypoint The IETF has not yet completely deprecated it but highly recommends that it be disabled Core Internet routers drop packets with options (Linux kernels no longer process Source Routing)

5 Safe policy-based routing
But without SR, how can we achieve policy based routing? There are 2 alternatives Software Defined Networking SDN give the network administer full control over routing particular flows can be configured to traverse arbitrary paths CE with NMS, and MPLS-TE with PCE are essentially the same But SDN requires relatively large architectural changes enables attacks (and plain bugs) at control plane level Segment Routing Segment routing is similar to Source Routing, but the path is specified by an ingress router, not by the source host thus blocking Source Routing attacks (unless a router is compromised)

6 Segment routing vs. SDN In SDN the network maintains per-application/flow state With SR forwarding instructions provided in the packet. In SDN all the intelligence is in the centralized controller the SDN switches are dumb, fast, and inexpensive SR burdens the ingress LER (like PCE) it needs to digest the IGP, prepare the label stack, ... OpenFlow-like based SDN has a major design flaw flows are identified by configuring matching tables matching table logic for 1 flow may influence other flows so even minor bugs, and certainly malicious rules may impact services that have been running perfectly for years Errors in Segment Routing only affects the flow itself Both SR and SDN can coexist with conventional networking

7 MPLS-based Segment Routing
MPLS forwards packets using a simple universal paradigm read ToS Label look up label in LFIB perform label stack operation (swap, push, pop) in NHLFE forward packet according to NHLFE In regular MPLS networks most of the time the label stack operation is swap pop is used by egress LERs and FRR MPLS segment routing reuses the standard MPLS mechanism ingress LER inserts an entire stack of labels, one per hop each LSR pops a label revealing the next hop MPLS SR doesn’t require LDP or RSVP-TE (but extends the IGP)

8 MPLS Segment Routing example
desired path label = A ingress LER egress LER label = B label = C A B C ToS BoS 1 2 3 Ingress LER inserts label stack with 3 labels : A (ToS), B, C (BoS) 1st LSR reads A, pops label, forwards over link for A 2nd LSR reads B, pops label, forwards over link for B 3rd LSR reads C, pops label, forwards over link for C

9 Global and local segments
In Segment Routing the labels are called Segment IDs (SIDs) in MPLS SR the SID is the 20-bit label and in IPv6 SR (SRv6) it is a 128-bit address There are 2 main types of SIDs : An adjacency SID (local SID) refers to a link (port) it has local significance (like normal MPLS labels) only the LSR advertising it can use it with that meaning A node SID (prefix SID, global SID) refers to a destination node if has global significance (unique, like IP addresses) the network forwards over the shortest path to the node every LSR has the same entry in its LFIB WARNING: this is a simplification

10 Label distribution The ingress LER learns nodes and adjacencies
from the Interior Gateway Protocol (e.g., OSPF or IS-IS) Hence, it can select each node and link to be traversed along the desired path The source LSR can insert (global) node SIDs (either direct or loose) or adjacency SIDs or combinations But how does the source LSR know the labels that indicates to an LSR to forward over a desired link? Segment Routing augments the IGP with label information (LDP is no longer needed)

11 Segments as instructions
Constructing a segment routing label stack is similar to programming in a low-level language Each label can be considered to be an instruction (op-code) The ingress LER encodes the list of instructions (SIDs) and each LSR interprets and executes one instruction thus making the networking into a giant processor Segment instructions can be: Forward over link L Go to node N using the shortest path Apply service S

12 IPv6 extension headers The standard IPv6 header looks like this:
and by using “Next Header” one can add options in particular, the routing extension header VER=6 TC 8b Flow label 20b Payload Length 16b Next Header 8b Hop Limit 8b Source Address (SA) 128 bits Destination Address (DA) 128 bits Next Header 8b Header Len 8b options + padding options + padding Next Header 8b Header Len 8b Type 8b Segments Left 8b optional type-specific data

13 SRv6 extension header (SRH)
SRv6 uses the routing extension header with type = 4 and multiple SRv6 segments are concatenated Next Header identifies the type of header after the SRH Segments Left is decremented at each segment Last Entry = n (the last entry in the segment list) Flags include P (protected) O (OAM) A (Alert) and H (HMAC) Next Header 8b Header Len 8b Type=4 8b Segments Left 8b Last Entry 8b Flags 8b Tag Segment[0] 128b Segment[1] 128b ... Segment[n] 128b optional TLVs

14 Unified-IP-SR There is another encapsulation for SR in IP networks
RFC 7510 defines MPLS-in-UDP for IPv4 or IPv6 networks This encapsulation may be better than RFC 4023 since it enables fine grain load balancing using ECMP for IPv4 by using the UDP port for entropy (IPv6 already has the flow label) Unified-IP-SR exploits MPLS-in-UDP to carry MPLS SR Routers must be capable of this new type of forwarding and must advertise this capability in the IGP but Unified-IP-SR can function with a mixture of unified-IP-SR capable and legacy routers MPLS-in-IP MPLS-in-GRE-in-IP

15 FRR and LFA One of the deficiencies of SDN is the lack of resilience methods OpenFlow provides a mechanism via group tables Segment routing enables new resilience methods that do not require signaling that do not require maintaining massive network state that avoid looping One such method is Topology Independent Loop Free Alternatives – TI-LFA In order to understand TI-LFA we need to first review MPLS Fast ReRoute - FRR IP Loop Free Alternatives - LFA MPLS LFA

16 MPLS Fast ReRoute FRR is a local detour method (not an end-to-end APS method) to reroute quickly we pre-prepare labels for the bypass links 10 11 12 swap + push pop 13 14 from here on no difference! when link is down change fwd table protection LSP

17 LFA LFA FRR is another precomputed path Fast ReRoute mechanism
works with plain IP or MPLS exploits an alternative to the default next hop the alternative forwards to the destination (in any case) without passing through the failed element (loop free) A Loop Free Alternative with respect to an element (link/node) for a destination is a router/LSR that is not the default next hop is connected to the destination does not forward through the element hence does not need to know about the failure) D S 1 2 3 default NH LFA

18 Finding LFAs In order to a loop free alternative node
1. find the set P all nodes still connected to the source in the event of failure 2. find the set Q all the nodes that forward to the destination without failure 3. find the set PQ = the intersection of P and Q 4. choose a closest node in PQ Note that PQ may be empty LFA does not always succeed! 1 2 PQ S P Q closest D 3 4 5

19 MPLS LFA with targeted LDP
After choosing the closest PQ node the source LSR needs to push 2 labels on the label stack top label to reach chosen LFA label to reach destination LSR D after LFA pops the top label But how does the source LSR know the label the LFA uses to reach D ? it must open a targeted LDP session to find out! P PQ PQ PQ P PQ P 4 3 2 1 Q 5 LFA LDP S D 2 1 Q Q

20 TI-LFA TI-LFA exploits MPLS SR
to avoid having to open targeted LDP sessions The source LSR knows all the labels from the IGP and can build the MPLS SR label stack accordingly using any PQ node This capability is Topology Independent in the sense that a loop free backup path is found irrespective of the topologies before and after the failure Using deeper label stacks affords more flexibility Immediately upon discovering the failure the source LSR can use the new SR label stack so the protection switch time is minimal

21

Download ppt "Segment Routing."

Similar presentations

MPLS VPN.

MPLS VPN.
OLD DOG CONSULTING Challenges and Solutions for OAM in Point-to-Multipoint MPLS Adrian Farrel, Old Dog Consulting Ltd. Zafar Ali, Cisco Systems, Inc.

OLD DOG CONSULTING Challenges and Solutions for OAM in Point-to-Multipoint MPLS Adrian Farrel, Old Dog Consulting Ltd. Zafar Ali, Cisco Systems, Inc.
MULTIPROTOCOL LABEL SWITCHING Muhammad Abdullah Shafiq.

MULTIPROTOCOL LABEL SWITCHING Muhammad Abdullah Shafiq.
IPv4 - The Internet Protocol Version 4

IPv4 - The Internet Protocol Version 4
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
Restoration by Path Concatenation: Fast Recovery of MPLS Paths Anat Bremler-Barr Yehuda Afek Haim Kaplan Tel-Aviv University Edith Cohen Michael Merritt.

Restoration by Path Concatenation: Fast Recovery of MPLS Paths Anat Bremler-Barr Yehuda Afek Haim Kaplan Tel-Aviv University Edith Cohen Michael Merritt.
© 2010 Cisco and/or its affiliates. All rights reserved. 1 Segment Routing Clarence Filsfils – Distinguished Engineer Christian Martin –

© 2010 Cisco and/or its affiliates. All rights reserved. 1 Segment Routing Clarence Filsfils – Distinguished Engineer Christian Martin –
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.
Pseudowire Endpoint Fast Failure Protection draft-shen-pwe3-endpoint-fast-protection-00 Rahul Aggarwal Yimin Shen

Pseudowire Endpoint Fast Failure Protection draft-shen-pwe3-endpoint-fast-protection-00 Rahul Aggarwal Yimin Shen
CS 672 1 Summer 2003 Lecture 12 FastReRoute (FRR) - Big Picture.

CS Summer 2003 Lecture 12 FastReRoute (FRR) - Big Picture.
CS 672 1 Summer 2003 Lecture 14. CS 672 2 Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.

CS Summer 2003 Lecture 14. CS Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.
MPLS H/W update Brief description of the lab What it is? Why do we need it? Mechanisms and Protocols.

MPLS H/W update Brief description of the lab What it is? Why do we need it? Mechanisms and Protocols.
MPLS and Traffic Engineering

MPLS and Traffic Engineering
COS 420 Day 16. Agenda Assignment 3 Corrected Poor results 1 C and 2 Ds Spring Break?? Assignment 4 Posted Chap 16-20 Due April 6 Individual Project Presentations.

COS 420 Day 16. Agenda Assignment 3 Corrected Poor results 1 C and 2 Ds Spring Break?? Assignment 4 Posted Chap Due April 6 Individual Project Presentations.
A Study of MPLS Department of Computing Science & Engineering DE MONTFORT UNIVERSITY, LEICESTER, U.K. By PARMINDER SINGH KANG

A Study of MPLS Department of Computing Science & Engineering DE MONTFORT UNIVERSITY, LEICESTER, U.K. By PARMINDER SINGH KANG
1 MPLS Architecture. 2 MPLS Network Model MPLS LSR = Label Switched Router LER = Label Edge Router LER LSR LER LSR IP MPLS IP Internet LSR.

1 MPLS Architecture. 2 MPLS Network Model MPLS LSR = Label Switched Router LER = Label Edge Router LER LSR LER LSR IP MPLS IP Internet LSR.
1 Multi-Protocol Label Switching (MPLS) presented by: chitralekha tamrakar (B.S.E.) divya krit tamrakar (B.S.E.) Rashmi shrivastava(B.S.E.) prakriti.

1 Multi-Protocol Label Switching (MPLS) presented by: chitralekha tamrakar (B.S.E.) divya krit tamrakar (B.S.E.) Rashmi shrivastava(B.S.E.) prakriti.
1 Multi Protocol Label Switching Presented by: Petros Ioannou Dept. of Electrical and Computer Engineering, UCY.

1 Multi Protocol Label Switching Presented by: Petros Ioannou Dept. of Electrical and Computer Engineering, UCY.
1 Multi-Protocol Label Switching (MPLS). 2 MPLS Overview A forwarding scheme designed to speed up IP packet forwarding (RFC 3031) Idea: use a fixed length.

1 Multi-Protocol Label Switching (MPLS). 2 MPLS Overview A forwarding scheme designed to speed up IP packet forwarding (RFC 3031) Idea: use a fixed length.

Similar presentations

Ads by Google